Description of problem: virsh console gives the following error: No console available for domain Version-Release number of selected component (if applicable): [ruben@fikkie ~]$ rpm -qf /usr/sbin/xenconsoled xen-runtime-3.4.2-1.fc12.x86_64 [ruben@fikkie ~]$ rpm -q selinux-policy selinux-policy-3.6.32-63.fc12.noarch How reproducible: run xm console in selinux enforcing mode Actual results: From audit.log: type=AVC msg=audit(1262891149.001:26): avc: denied { read } for pid=1361 comm="xenconsoled" name="nsswitch.conf" dev=dm-0 ino=553 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=AVC msg=audit(1262891149.026:27): avc: denied { read } for pid=1361 comm="xenconsoled" name="nsswitch.conf" dev=dm-0 ino=553 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=AVC msg=audit(1262891149.032:28): avc: denied { read } for pid=1361 comm="xenconsoled" name="group" dev=dm-0 ino=84 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=AVC msg=audit(1262891149.033:29): avc: denied { read } for pid=1361 comm="xenconsoled" name="group" dev=dm-0 ino=84 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=AVC msg=audit(1262891149.033:30): avc: denied { setattr } for pid=1361 comm="xenconsoled" name="1" dev=devpts ino=4 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:xen_devpts_t:s0 tclass=chr_file type=AVC msg=audit(1262891149.033:31): avc: denied { setrlimit } for pid=1981 comm="xenconsoled" scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:system_r:xenconsoled_t:s0 tclass=process type=AVC msg=audit(1262891149.033:32): avc: denied { execute } for pid=1981 comm="xenconsoled" name="pt_chown" dev=dm-0 ino=262481 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:ptchown_exec_t:s0 tclass=file type=AVC msg=audit(1262891149.036:33): avc: denied { read } for pid=1361 comm="xenconsoled" name="group" dev=dm-0 ino=84 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=AVC msg=audit(1262891149.036:34): avc: denied { read } for pid=1361 comm="xenconsoled" name="group" dev=dm-0 ino=84 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=AVC msg=audit(1262891149.036:35): avc: denied { setattr } for pid=1361 comm="xenconsoled" name="1" dev=devpts ino=4 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:xen_devpts_t:s0 tclass=chr_file type=AVC msg=audit(1262891149.036:36): avc: denied { setrlimit } for pid=1982 comm="xenconsoled" scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:system_r:xenconsoled_t:s0 tclass=process type=AVC msg=audit(1262891149.036:37): avc: denied { execute } for pid=1982 comm="xenconsoled" name="pt_chown" dev=dm-0 ino=262481 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:ptchown_exec_t:s0 tclass=file type=AVC msg=audit(1262891149.038:38): avc: denied { read } for pid=1361 comm="xenconsoled" name="group" dev=dm-0 ino=84 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=AVC msg=audit(1262891149.038:39): avc: denied { read } for pid=1361 comm="xenconsoled" name="group" dev=dm-0 ino=84 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=AVC msg=audit(1262891149.038:40): avc: denied { setattr } for pid=1361 comm="xenconsoled" name="1" dev=devpts ino=4 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:xen_devpts_t:s0 tclass=chr_file type=AVC msg=audit(1262891149.038:41): avc: denied { setrlimit } for pid=1983 comm="xenconsoled" scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:system_r:xenconsoled_t:s0 tclass=process type=AVC msg=audit(1262891149.038:42): avc: denied { execute } for pid=1983 comm="xenconsoled" name="pt_chown" dev=dm-0 ino=262481 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:ptchown_exec_t:s0 tclass=file type=AVC msg=audit(1262891149.039:43): avc: denied { read } for pid=1361 comm="xenconsoled" name="group" dev=dm-0 ino=84 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=AVC msg=audit(1262891149.039:44): avc: denied { read } for pid=1361 comm="xenconsoled" name="group" dev=dm-0 ino=84 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=AVC msg=audit(1262891149.039:45): avc: denied { setattr } for pid=1361 comm="xenconsoled" name="1" dev=devpts ino=4 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:xen_devpts_t:s0 tclass=chr_file type=AVC msg=audit(1262891149.039:46): avc: denied { setrlimit } for pid=1984 comm="xenconsoled" scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:system_r:xenconsoled_t:s0 tclass=process type=AVC msg=audit(1262891149.040:47): avc: denied { execute } for pid=1984 comm="xenconsoled" name="pt_chown" dev=dm-0 ino=262481 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:ptchown_exec_t:s0 tclass=file Expected results: a terminal window to my domU
First could you verify that your devpts line in /etc/fstab looks like devpts /dev/pts devpts gid=5,mode=620 0 0 If not, you should make it look like that. There was a bug in the F11 install, that set this wrong.
Created attachment 382304 [details] Xen patch for F12 Miroslav can you add this patch.
Yes, it's there: [ruben@fikkie ~]$ grep devpts /etc/fstab devpts /dev/pts devpts gid=5,mode=620 0 0
Ok good, I guess this is new stuff that xconsole is executing ptchown.
Fixed in selinux-policy-3.6.32-68.fc12.noarch
selinux-policy-3.6.32-69.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-0362
selinux-policy-3.6.32-69.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.